How schools can better protect themselves against cyberattacks

Reported cyberattacks against K-12 schools in the US have hit 301 so far in 2019 compared to 124 in 2018 and 218 in 2017, according to a new report from security provider Barracuda Networks.

Cybersecurity Awareness Month: How individuals and businesses can stay vigilant October is Cybersecurity Awareness Month, and the Identity Theft Resource Center is providing tips to keep consumers and companies safe.

When we think of cyberattacks, we tend to think of them affecting companies and businesses. But other types of organizations are just as susceptible to security threats, if not more so. One prime example is schools.

K-12 schools have seen an increase this year in threats including data breaches, malware, phishing attacks, network hacks, and denial-of-service attacks. In many ways, schools are more vulnerable than larger enterprises to cyberattacks as school systems often lack the necessary staffing, money, and resources to fully protect themselves. But there are actions schools can take to shore up their security measures, as outlined in a report released Thursday by Barracuda Networks.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic Premium) 

Threats against US and UK schools

Cyberattacks targeting US schools have risen this year, according to Barracuda's analysis of data from the K-12 Cybersecurity Resource Center. So far in 2019, schools have reported 301 attacks, up from 124 last year and 218 in 2017. These numbers account only for reported cases, so the amounts are likely higher when factoring in unreported and undetected attacks.

Schools in the UK also have been victims of cyberattacks. A recent report from the National Cyber Security Centre (NCSC) found that 83% of the 432 UK schools analyzed have been hit by at least one cybersecurity incident, even though 98% of them had an antivirus solution in place and 99% has some type of firewall.

Among the US schools included in the data from the K-12 Cybersecurity Resource Center, the most common threat was data breaches, accounting for 31% of all attacks. Malware accounted for 23% of all attacks, followed by phishing at 13%, network hacks at 10%, and denial-of-service attacks at 4%. The accidental disclosure of data accounted for 16%, while other incidents accounted for 3%.

Most of the malware attacks reported to the K-12 Cybersecurity Resource Center were actual infections rather than attempts, so there were likely many attempts not reported or blocked by security software. Some 17% of the malware attacks were related to ransomware. Malware successfully infected computers in 30% of the UK schools examined, according to the NCSC report. Incidents in which malware infected school computers in both the US and UK led to downtime while the infection could be contained.

Among US schools, 5% of the phishing attacks reported to the K-12 Cybersecurity Resource Center were W-2 scams. Many of those stemmed from a W-2 phishing campaign launched in 2017, but these incidents have been reported for several years, a sign that this is a repeated type of attack designed to target schools during tax season.

Phishing attacks in which schools or school districts were scammed out of money accounted for 4% of the total. In the UK, 69% of the UK schools reported phishing attempts, while 20% said they had received phishing emails impersonating actual school emails, according to the NCSC.

Insider threats also pose a risk to schools, particularly from students attempting to change grades, earn the respect of their peers, or just bypass a security measure that bothers them. In the US, 21% of the schools detected the unauthorized use of computers, networks, or servers by students. Some 6% of the security incidents in the US were known to have been carried out by students.

Why schools are vulnerable

Schools often are more vulnerable to cyberattacks in comparison with larger companies and enterprises, and for a variety of reasons.

Many school districts may have only one or two IT people to serve the entire district, so the staffers are spread thin. Budget constraints have affected many schools, limiting the amount of money they can spend on security solutions. Most schools likely have the necessary security set up on individual computers and even the overall network. But comprehensive perimeter protection may not be in place, potentially leading to data breaches and malware hosted on the school's website.

Young students don't necessarily have the skills or training to adequately identify phishing emails and other threats, so such attacks are often more successful. The number of tablets and other devices issued by schools has increased in recent years and because of that, students may use those devices on outside networks that aren't secure, thereby raising the risk of infection.

How schools can better protect themselves

Even in the face of budget constraints and other limitations, schools should have adequate security measures in place to protect themselves, their data, and their students from security threats. Here are four suggestions offered by Barracuda in the report.

  • Perimeter security. Perimeter security typically includes network firewalls, web filters, email protection, and application firewalls. Though cost-effective products are available, many school districts may still be challenged to find the funds for a full security solution. But without this type of protection, attack vectors will persist.
  • Internal network security. Intrusion detection, data backup, and anti-malware solutions are important elements for catching any breaches in perimeter security. But these measures are even more critical in light of the risk of insider threats. Included in Windows 10, Windows Security offers good anti-malware protection and is more effective and comprehensive than the version of Windows Defender that comes with Windows 7. However, not all schools can afford to upgrade all their computers to Windows 10. No matter which operating system is running, keeping up with security patches is vital to protect against the latest forms of malware.
  • Incident response capabilities. If a breach occurs, intrusion detection and incident response solutions can discover the incidents and help security personnel isolate and contain it. Data backup should also be part of an overall security process in case any files get corrupted or removed.
  • Knowledgeable staff. Having a capable IT security staff is difficult for many school districts where the budget has to prioritize the need for more teachers and other employees. But without the proper staff, the ability to patch systems, set up the right security, and deal with cybersecurity incidents will continue to be a challenge.

"A comprehensive security portfolio is key to preventing security incidents in schools," said Jonathan Tanner, senior security researcher at Barracuda Networks. 

"Perimeter protection including firewalls, email protection, web content control, and web application protection for school websites all play an important role in keeping threats out of school networks," Tanner said. "When threats do slip through or involve an insider threat of students attacking a school network, it's also important to have protections such as intrusion detection, anti-malware software, and data backup."

Barracuda analyzed data from all US schools but relied on reported incidents, therefore, unreported incidents or reported ones that flew under its radar would have been overlooked. The site has been tracking incidents since 2016, so just under four years' worth of incidents were included.

The National Cyber Security Centre report was based on responses from 432 schools. "Participation was particularly high in London, South East England, and Scotland, but there was representation from all parts of the UK," according to the report.

Also see